Shulou(Shulou.com)06/01 Report--

1. Nat + glob

1. Internal address translation external address pool configuration description:

Nat (inside) 1 2.2.2.0 255.255.255.0 configuration inside table

Glob (outside) 1 1.1.1.10-1.1.1.20 configure outside table

Sh nat View nat inside configuration

Sh glob View nat global configuration

Sh user to view device login users

Sh xlate View nat conversion Table

Sh conn to view information about the current connection

Clear xlate clears the xlate conversion item

Clear nat empties the nat inside configuration

Clear glob empties the nat global configuration

2. If there is not enough external address, configure PAT to translate to out interface address:

Nat (inside) 1 2.2.2.0 255.255.255.0

Glob (outside) 1 interface

3. Nat+pat is used, for those who have a public network address pool but are not enough.

Nat (inside) 1 2.2.2.0 255.255.255.0

Glob (outside) 1 1.1.1.10-1.1.1.20

Glob (outside) 1 interface

4. Acl controls nat

Access-l nat per tcp any any eq telnet

Nat (inside) 1 access-l nat

Glob (outside) 1 interface

Sh access-l nat View acl nat list

2. Nonat (also known as nat0) does not change the origin and goal

(internal address access external address does not need to be translated) (static configuration, pay attention to the routing between devices)

1. Specific address of identity nat and nat (with xlate entry)

Nat (inside) 0 2.2.2.0 255.255.255.0

2. Bypass nat is followed by acl (no xlate entry) to save resources

Access-l nonat per ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

Nat (inside) 0 access-l nonat

3. Static + access

Static one-to-one mapping (note the routing between the internal pix and the router)

1.static

Static (inside,outside) 1.1.1.10 2.2.2.2

(outside:1.1.1.10 inside:2.2.2.2)

If you want ping to test: icmp is not a stateful protocol for pix, you need access control list to release icmp

Release icmp:

Access-l out per icmp any any echo

Access-l out per icmp any any echo-

Access-l out in interface outside

two。 Port conversion

Static (inside,outside) tcp interface (can also be an external address) 2114 2.2.2.2 23 (internal address)

Access-l out per tcp host 1.1.1.2 host 1.1.1.1 eq 2114

Access-g out in interface outside (if direct application is not supported, you need to apply it in excuse mode)

3.dos defense

Static (inside,outside) 1.1.1.10 2.2.2.2 1000 (maximum tcp connections) 200 (maximum number of tcp semi-open connections)

Sh static View static configuration

4.access-list static (initiates a telnet from outside to inside, and maps statically through acl)

Access-l static per tcp host 2.2.2.2 (internal address) outbound traffic in eq telnet host 1.1.1.2

Static (inside.outside) tcp 1.1.1.10 (external address) telnet access-list static (internal address) incoming translation

Access-l out per tcp host 1.1.1.2 host 1.1.1.10 eq telnet (defines the outbound traffic of the pix external interface)

Access-group out in interface outside

Note:

You have to do nat to pass through pix, but it will change the origin and target. With the exception of nonat (also known as nat0) does not change the origin and goal

Icmp is not a stateful protocol for pix. Access control list is required to release icmp.

Release icmp:

Access-l out per icmp any any echo

Access-l out per icmp any any echo-

Access-l out in interface outside

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.